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Introduction: The Problem 



• Security patches are meant to fix security 
vulnerabilities. 

• fixing problems and protect computers and end 
users from risks. 

• 1-day exploits 

• binary diffing technique can be used to identify the 
vulnerabilities 

• especially useful for Microsoft's binaries 



Introduction: The Solution 

• Purpose: making 1-day exploits difficult and 
time-consuming 

• Make binary differs' life harder 

• Severe code obfuscation is not an option 

• Need an efficient lightweight code obfuscation 

• In-house tool to achieve this 

• Hondon(meaning Chaos) 



Binary Diffing: Demo 

Just grab an idea what binary diffing is. 

We will show simple process of binary diffing. 



Binary Diffing: The History 

• BMAP: 10 years ago 

• Halvar 

• Bindiff: Expensive commercial tool 

• Not affordable to most non-corporate 
researchers 

• TODD 

• eEye 

• 2-3 free or opensource tools 



Binary Difflng: BMAT(1999) 

Heavily depends on symbolic name matching 

Used mainly for Microsoft's binaries which 
symbol they have access to. 

Auxiliary method: 64bit hashing-based 
comparison for the blocks inside each 
procedure 

• hashing=multiple level of abstractions with opcode 
and operands 



Binary Diffing: Automated Reverse 
Engineering(2004) 

- Halvar at Blackhat 2004 
1 Signature of functions 

• signatures=number of nodes, edges and calls 
1 Isomorphic comparison between functions CG 

• A function is a node and calling relationship is 
an edge 



Binary Diffing: Comparing binaries 
with graph isomorphism(2004) 

Todd Sabin 

Instructions graph's isomorphic matching 

Compares instructions not basic blocks 

• Very unique 

No POC ever released 

• Only testing datasheet released 



Binary Diffing: Structural Comparison of 
Executable Objects(2004) 

• Improved version of Halvar's Blackhat 2004 
"Automated Reverse Engineering(2004)"[ARE] 
presentation[SCEO] 



Binary Diffing: Graph-based comparison 
of Executable Objects(2005) 

• Improved previous paper "Structural 
Comparison of Executable Objects(2004)" 

• Heavily dependent on CFG generation from the 
binaries 



The Tools: Sabre Security's 
bindiff(2004) 

Halvar 

A commercial binary diffing tool 

Based on his graph based function 
fingerprinting theory. 



The Tools: IDACompare(2005) 

Based on signature scanning 
Used for porting malware analysis data 
Designed for around 500k file in size 
• Which is a small size 



The Tools: eEye Binary Diffing 
Suite(2006) 

Internally used for Microsoft's Patch Tuesday 
patches analysis 

Patch analysis was the only way to obtain some 
secret information they don't release 

• You can use eye ball instead of binary diffing 
tools 

• Some of them has the talent 

The "DarunGrim" is one of the tools included 
and performs the main binary diffing analysis. 



The Tools: Patchdiff2(2008) 

Made specifically for security patch or hotfix 
analysis 

Using checksum of graph call for signaturing 

Sounds like similar to bindiff 



The Tools: DarunGrim2(2008) 

• The improved version of eEye Binary Diffing 
Suite 

• Using C++ instead of Python to overcome 
performance and memory footprint issues 

• Will be Open-Sourced in few weeks 



DarunGrim2: Algorithms 

The previous works in binary difference 
analysis were mainly concentrated on the graph 
structure analysis and graph isomorphism. 

• Intensive comparison of two graphs 

• dependency on the disassembler's CFG analysis 
capabilities 

"Basic Block Fingerprint Hash Map" is 

the way to overcome this limitation and to 
improve analysis result drastically. 



Algorithms: Basic Block Fingerprint 

Hash Map 

• Fingerprint hashing method is a main algorithm 
of DarunGrim2 

• Fingerprint of the block=extracted from 
instruction sequences 

• Two fingerprint hash table for original binary 
and patched binary 

• For each unique fingerprints from original binary 

• DarunGrim2 check if the patched binaries 
fingerprint hash table has matching entry. 



Algorithms: Basic Block Fingerprint 

Hash Map 

• Generating fingerprint for a basic block 

• Using IDA 

• Overcoming Order Dependency 

• Reducing Hash Collision 

• Merge multiple fingerprints from parent and children 

• Determining matching functions 

• Count the number of matching basic blocks choose 
the pair that has highest matches 

• Matching blocks inside function 

• After function match is determined, use locality. 



Algorithms: Symbolic Names 
Matching 

Basic starting points for binary matching 
procedure 

Microsoft is generous enough to provide symbol 
files as soon as the patch is out 



Algorithms: Structure Based Analysis 

• Philosophy of divide and conquer 

• Similar to that of BMAT tool 

• Calculating match rate 

• Compare fingerprint string using string match 
algorithm, same algorithm used in GNU 
diff(1) 

• Determines "Stop"(lf match rate is under n%) 
or "Go"(lf match rate is over n%). 

• Need to recognize control flow Inversion 

• Todd's method: categorizing control flow 



DarunGrim2: Real Life Issues 

Split Blocks 

Hot Patching 

Basic Blocks in Multiple Functions 



Real Life Issues: Split Blocks 



mmm-... lidm 



File Graphs Help 



R ^ % 



sub_757A E r 3 



_J_L 



t r 



mov ebx, ]ebp+var_24] 

'-•::■■.■ e?x. |e;o-?-c_-^ 

cmp dword p;:- [eax+OChf. 3 

jnzloc_757AC140 



* 



or [ebp+var_4] r OFFFFFFFFh 

call sub 7CB41195 

mov ebx r Jebp4-var_24] 

jmp short loc_7CB411BA 



* 




JL 




List Of Matches 



Functions Blocks 



| Match ... | Type Fingerprin t(Originaf) 
7aoia2a4027aaia2.. 
2C0402 

100% Finger... 06010205028f0402... 
100% Tree 8f0502 



Fingerprint( Patched ) Paren t(Origi... | Pare ^ 



Original | Patched 

D757AC162 
D757AC04E 
Q757ABFA5 7CB4103B 
D757ABF9E 7CB41031 



06010205028^402.. 
8f0502 





7C&^ 
> 



Real Life Issues: Split Blocks 

• "The block who has one child and the child of 
the block has only one parent in CFG." 

• The split blocks tend to make CFG broken 

• The matching process incomplete. 

• Need to merge split blocks 



Real Life Issues: Split Blocks 
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File Graphs Help 


HH^ 


sub_757ABEF5 


sub_7CB4OF90 




^ + * 






* 

fZ^v 






i * 






- 




757AC02B 






7CB411&5 




or [ebp+var 4l r OF 

call 5Llb~757-.C 

mov ebx r Tebp+\ 

mov eax r Tebp+ 

cmp dword ptr [ea> 

jnzloc 757AC 




or [ebp+var 41. OF 

call sub~7CB41 

mov ebx r Tebp+\ 

jmp short foe 7CE 

mov eax r [eEp+ 

cmp dword ptr [eax 




FFFFFFFh 
11B 
ar 241 

+TOi] r 3 
140 


FFFFFFFh 
195 
ar 241 
4HBA 

+W] r 3 








j-z i-ry- .>: 7CE411D1 


\ * 




\ \ 




\ 


757AC044 






A 




\ 


7CB411C3 


cmp [ebp+var 2C], 2 
jnbloc 757AC140 


cmp [ebp+var 2C] r 2 
jnb short be 7CB411D1 


\ 






\ / 


\ 


\ 


/ \ 




I 757AC140 














1 r n^kT 


| 7CB411D1 | 
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> 


m 


a 
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List Of Matches 


Functions Blocks ] 


Original | Patched | Match ... | Type 


| Rngerprint(Original) | Fingerprint(Patched) | Parent(Origi... | 


Par-| 


D757ACD2B 7CB41185 100% Fngerp. 

Q757AC025 7CB410BC 100% Tree 

□ ?57AC013 7CB410AA 100% Tree 

□ 757AC001 7CB41095 100% Tree 


.. 830402050210070... B30402050210070... 

7a010204027a0402... 7a010204027a0402... 757AC013 
8f02028fa4021007... 8f02028fa4021007... 757ABFE0 
8f05028f01028f050... 8f05028f01028f05a... 757ABFE0 


] 

7Q_ 
7CI 
7Clv 


< 




> 



Real Life Issues: Hot Patching 



.text:765D1E9C ; int stdcall sub_765D1E9C(unsigned int8 

*NetworkAddr,int) 

.text:765D1 E9C sub 765D1 E9C proc near 



.text:765D1E9C mov eax, eax 
.toxt:765D1E0E 



.text:765D1E9E ; stdcall W32TimeGetNetlogonServiceBits(x, x) 

.text:765D1 E9E _W32TimeGetNetlogonServiceBits@8: 
.text:765D1E9E push ebp 

.text:765D1E9F mov ebp, esp 

.text:765D1 EA1 push OFFFFFFFFh 

.text:765D1 EA3 push offset dword_765D1 F80 



•Solution: Just ignore any hot patching preamble 
•Pattern: mov RegA,RegA at the start of a function 



Real Life Issues: Basic Blocks in 
Multiple Functions 

• Usually one basic block belongs to one function 

• There are some cases that one basic block can 
be part of multiple functions. 

• For example: Windows kernel 

• The limitation with IDA 

• One function for one basic block 



Real Life Issues: Basic Blocks in 
Multiple Functions 

Perform additional custom CFG analysis 

• Doesn't totally rely on IDA's CFG analysis 
Design data structure to make it possible for 

• a basic block can belong to multiple 
functions. 



Real Life Issues: Instruction 
Reordering 

During ARM binaries diffing experiments 

• we found that there are a lot of instruction 
reordering happen over each releases. 

• Binary differ is confused a lot and mark all 
the same blocks as being different 



Real Life Issues: Instruction 
Reordering 



File Graphs Help 



Uam 



-c:;: 



LDRRO f =0= 6E614 
LDRR1, =unk~6CFC8 
LDR R2, =unk 6D0F8 
MOV R3, =0 
LDR R0, TROl 
LDR Rl r Rlj 
LDR R2 r [R2J 
STRR3JSP] 
MOV R3 r R4 
EL_oj=i-:_— i--":5-r--: 



^ 



SUB SP r R7, #0x18 

ldmfd SP! r <'r; ■:.'. -:.:' 

LP MFD SF '[--■-' 'Z'_' 



List Of Matches 



A 



H 



v 



37ECC 



LDR R0 r =off 5455C 

LDR Rl r =ofT638E4 

LDR R2 r =0fT638E8 

MOV R3.. =0 

STR R3 r ISPl 

LDR R0 r [ROT 

LDR Rl r [Rlj 

LDR R2, "R2 " 

MOV R3 f R4 

E L _-.:'i ■:_"•£•: 5 T-: 



SUB SP r R7, #0x18 
LDMFD SPL {R8 r R10 r Rll} 

ldmfd sf. ; r -- r " -c; - 



A 



: 



Functions Blocks 



Original | Patched | Match ... | Type | FingerprintfOriginal) Fingerprintf Pa tched) | Paren t(Crigi,,, =ai 



n^CDBD 37BCC 95% Tree 1601020202160102... 1601020202160102... 4C078 37 =1 

D^CODB 37BF4 100% Tree 0C0102010205022... 0C0102010205022... 4C07B 37 ' 

□ 4C04C 37B6C 88% Tree Ie010202021e0102... Ie010202021e0102... 4C000 37 

□ 4C078 37B94 100% Fingerp... 1601020402160102... 1601020402 160102... _^_ 



Real Life Issues: Instruction 
Reordering 







STMFD SP!, {R4-R7.LR} 


STMFD SP!, {R4-R7.LR} 


ADD R7,SP,#0x14+var_8 


ADD 


R7, SP,#0x14+var_8 


LDR R1 , =(off 3AFD86B8 - 0x32FF9A88) 


LDR 


R1, =(off_3B2CDE70 - 0x33328E10) 


LDR R3, [PC.R3] 






MOV R6, R2 


LDR 


R3, [PC,R3] 


MOV 


R6, R2 
R3, [SP,#0x20+var_1C] 


STR R3, [SP,#0x20+var_1C] 


STR 


BL objc msgSendSuper2 


BL 


objc msgSendSuper2 


SUBS R5, RO, #0 


SUBS 


R5, RO, #0 


BEQ loc_32FF9B84 


BEQ 


loc_33328F08 









Real Life Issues: Instruction 
Reordering 

Generate Data flow graph and serialize each node 






MOV 


RO 


SP 




1 


^--- - 


SUB 


R5 


RO 


#0 



Real Life Issues: Instruction 
Reordering 





ADD R7, SP, #0x14+var_8 ADD R7, SP, #0x14+var_8 






STMFD SP!, {R4-R7.LR} 


STMFD SP!, {R4-R7,LR} 


LDR R1,=(off 3AFC 


ADD R7, SP,#0x14+var 8 


ADD R7, SP, #0x14+var 8 


0x32FF9A88) 


SUB SP, SP, #0xC 


SUB SP, SP, #0xC 


LDR R3, [PC.R3] 


BEQ loc 32FF9B84 


BEQ loc 33328F08 




MOV RO, SP 


MOV RO, SP 




SUBS R5, RO, #0 


SUBS R5, RO, #0 




STR RO, [SP,#0x20+var 20] 


STR RO, [SP,#0x20+var 20] 


MOV R6, R2 


LDR R3, =(off 3AFD9AAC - 


LDR R3, =(off 3B2CF6C8 - 


STR R3, [SP,#0x20h 


0x32FF9A80) 


0x33328E08) 


BL objc msgSend 


LDR R3, [PC,R3] 


LDR R3, [PC,R3] 


SUBS R5, RO, #0 


STR R3, [SP,#0x20+var 1C] 


STR R3, [SP,#0x20+var 1C] 


BEQ loc_32FF9B84 


LDR R1,=(off 3AFD86B8- 


LDR R1,=(off 3B2CDE70- 




0x32FF9A88) 


0x33328E10) 




LDR R1,[PC,R1] ; 


LDR R1,[PC,R1] ; 




"initWithPath:" 


"initWithPath:" 




BL objc msgSendSuper2 


BL objc msgSendSuper2 




MOV R6, R2 


MOV R6, R2 



Examples 



Microsoft's Binaries 

Non-Microsoft's Binaries 

Malwares 



Gathering Binaries 

Each vendors patch pages 

• Use MS patches pages 

Need to archive binary files for future patch 
releases 

• SortExecutables.exe: Sort PE binaries 
according to the version information. 

• <Company Name>\<File Name>\<Version 
Name> 



Gathering Binaries: SortExecutables 

•You can make your own archive of binaries in 
more organized way 



Performing Diffing 

Using DarunGrim2.exe and Two IDA sessions 

• First launch DarunGrim2.exe 

• Launch two IDA sessions 

• First run DarunGrim2 plugin from the original binary 

• Secondly run DarunGrim2 plugin from the patched binary 

Using DarunGrim2C.exe command line tool 

• Handy 

• Batch-able 

• Quick 



The infamous MS08-067(which was 
exploited by Conficker) 

• Conficker worm exploited this vulnerability to 
propagate through internal network. 

• Easy target for binary diffing: only 2 functions 
changed. 

• One is a change in calling convention. 

• The other is the function that has the 
vulnerability 



The infamous MS08-067(which was 
exploited by Conficker) 



T i- ct :,c »:t- -*:e3i:-~:: . E1.-3 -. _"t :A- = ,. : . 3 -_i t! -i: "=:-'l3:?: "I I-.c -. .. -5 a: ill*, in Server Service C. 



I°IbUb-I 



File Graphs Help 



. ^ ^ 



Functions Blocks 




sub_5B86A51A 




Mat... Type Fingerprint. Original! Fingerprint.? atchecl.i Parent. Original I Pa ' 



MS08-063: DarunGrim2 vs bindiff 

Modified Functions 



Original 


1 Unrnat... 


| Patched 


| Unmat... 


| Different | Matched 


M... ' 


D_5tvCompteteRfcbC[ose@4 





Jf Cc^j;!eteRfcbCrose@4 


1 


3 13 


90% 


D @>SrvRestartRawReceive©4 





© SrvRerta rtRa wRec ei ve@4 


1 


5 25 


90% 


□ _SrvIssu eQu eryDi recto ryReq u est@32 





_Srvksu eQu eryDi recto ry Req u eGt£ 32 


2 


1 23 


94% 


QfunclD0E4 





func 1CD48 





1 11 


95% 


D © SrvFsd Resta rtP repa reRawM d IWrite. , , 





© SrvFsd Resta rtP repa reRa wM d 1 Write©4 


3 


1 43 


95% 


□ _SrvRequestOplock§)12 





_SrvRequestOplock©lZ 





2 40 


97% 


|_l _G en erateOp en2Respon se©8 





_Ge:-!e- , iteC:Ei-:2rSi;pcii:e^3 





1 57 


99% 



MS08-063: DarunGrim2 vs bindiff 

_SrvIssueQueryDirectoryRequest@32 




MS08-063: DarunGrim2 vs bindiff 

Patched Blocks 



:s: 



and ebK. OFFFFFFFCh 

mou [ebp-Length]. *b:: 

iov edi-:. [ebp»VirtualAddress] 



rep movsb 

moi) [ebu], ck 
mov ax, [eas] 
mov[ebx.2],ax 
lea eax, [ebn.8] 
mow [ebx*4],eax 
aor edi, edi 
imp short loe^332A:< 



:s edi. a: 



lea eax, [ebp*l_ength] 

push edi 
push [ebp*arg_8] 
call_RtlULongSub@>12 . RMULongSub(K.K.K) 
test e; 




MS08-063: DarunGrim2 vs bindiff 

Patched Blocks 



arg_8] 
th], eaK 



391CE 



mouzK edi. an 
lea e-aK. [ebp+Length] 

pUSh t-dH 

push edi 

push [ebp+arg_S] 

call_RtlULongSub@>12 ; RtlULongSubfK.K.K) 

test e-an. e-an 

il short loc 391F4 




MS08-063: DarunGrim2 vs bindiff 

Bindiff Results 






B_ 



r 



s 






u 



§©(ME[i]» 



Q 



J r a 



MS08-063: DarunGrim2 vs bindiff 

False Negatives 



_SrvCornpleteRfcbClose©4 
© SrvResta rtRa wRecei ve©4 

SrvlssueQueryDirectoryR eq u e st©32 SrvFsdRestartPrepareRawMdIWrite 

func 1D0E4 \/q SrvlssueQueryDirectoryRequest 

**c ~n jn 4.^ □ hA m*. . ■*. SrvRestartRawReceive 

© SrvF&d Resta rtP rep a reRa wM d I Write. . . 
_SrvReq u estO p I o c k©12 
_GenerateOpen2ResponEe©8 



VS 



MS09-020: WebDav case 

Patched Function looks almost same 



?ScConvertToWide@@YlJPBD... 



?ScConvertToW«Je@@YI]PBDPA... 



•3;::-.-5--T: .7 :*,§-,§- v .-EI z \-. - .-.G >£Z 

1 3a «H, [HIM] 



iK. [ebp-12Ch] 

push dword pli [eax] ; cchWideChar 

mm eax. [ebp-124h] 

push dword prr [ebp-130h]; Ip'w'ideuharStr 



pushean; dwFlags 

push dword ptr [ebp-12+h]; CodePage 

call edi ; MultiE^-To ■idnCharl I MultiByteToWideCharf 



ins short loc_6F069?52 



Patched 



c-all ds: imp ijetLastError(a>0;UetLastError() 



Orginal 



\ 








6F0696B9 




push dword ptr [eba] . cch'wideChar 

mov esi, ds: imp MultiBsteToVideChar@24;MultiBgt*ToWideChar(s,K,K,s,K,a) 

push dword per [ebp-12Ch]; IpVideCharStr 

lMedi,[MK.1] 
push H-di . ■:■: hNlijIriESy'^ 

push dword ptr [ebp-124h]; IpMultiByteStr 

push 8 ;dwFlags 

push dword ptr [e bp-128h]; CodePage 

callesi:MultiBgteToWideChar(K,s,B.K,B,Kj;MultiB!|teToWideCharlB,K,H,B.«,B) 

jnz short loo_6F069739 








X 








6F0696E1 




mov eta, ds:_imp_G*tLaslError@0; QetLastE 
call ebs ; GetLastErrorQ; GetLastErrorQ 
cmp eas, 7Ah 
\nz short loc_6F069707 



MS09-020: WebDav case 



Original 



Flags has changed 

mou eaw. [ebp-1£Ch] 

push dword ptr [eau] ; cchVideChar 

moueaK.[ebp-124h] 

push dword ptr [ebp-130h]; IpVideCharStr 

subean. esi 

push ebw ; cchMultiByte 

push dword ptr [ebp-128h]; IpMultiEyte-Str 

neg eau 

sbb eaw, eaw 

andeaK.3 

push eaK ; dwFlags 



push dword ptr [ebp-124h]; CodePage 
call edi ; MultiByteToVideCharfK.K.K.K.K.K); MultiByteToWideCharf 

push dword ptr [ebK];cchVideChar 
Patched moy esi. ds:_imp_MultiByteToyideChar@>24; MultiByteToVideChartK.K.H.K.K.K) 

push dword ptr [Qbp-12Ch]: IpWidQCharStr 

sub eaK, ecK 

lea edi, [eax+1] 

push edi ; cchMultiByte 

push dword ptr [ebp-12 4h]; IpMultiByteStr 

push S ;dwFlags 

push dword ptr [ebp-12Sh]; CodePage 

call esi ; MultiByteToVideCharfx.K.K.x.K.K); MultiByteToVideCharfx.x.x.x.x.x) 



MS09-020: WebDav case 

What does flag 8 mean? 

MSDN(http://msdn.microsoft.com/en-us/library/dd319072(VS.85).aspx) declares like 

following: 

MB_ERR_INVALID_CHARS Windows Vista and later: The function does not 

drop illegal code points if the application does not set this flag. 

Windows 2000 Service Pack 4, Windows XP: Fail if an invalid input character is 

encountered. If this flag is not set the function silently drops illegal code 

points. A call to GetLastError returns 

ERROR NO UNICODE TRANSLATION. 



MS09-020: WebDav case 
Broken UTF8 Heuristics? 



6F0695EAmov esi, 0FDE9h 

6F069641 call ?FlsUTF8Url@@YIHPBD@Z ; 
FlsUTF8Url(char const*) 
6F069646 test eax, eax 
if(!eax) 

{ 

6F0695C3 xor edi, edi 
6F06964A mov [ebp-1 24h], edi 

}else 

{ 

6F069650 cmp [ebp-1 24h], esi 

} 

6F0696C9 mov eax, [ebp-1 24h] 

6F0696D5 sub eax, esi 

6F0696DE neg eax 

6F0696E0 sbb eax, eax 

6F0696E2 and eax, 8 



JRE Font Manager Buffer 
Overflow(Sun Alert 254571) 



^ 'I 



<*> «*> < 



E 



fe- 




\ S 



Functions Blocks | 



FingerprintiCriginali Fingerprint. Pstdisd Parent Original Psrsnt.pstdis:! 






c c7 301020402 c c d801020 .. . c c7 a01020402 c cd801020 . . . 



:c:c-i-3- i-jii-i:-: 



JRE Font Manager Buffer 
Overflow(Sun Alert 254571) 



push edi 

mov edi. [esp.10h] 

lea eax. [edi.OAh] 

cmp eax. JOOOOOOh 

jnb short loc_6D2C4A8D 



X 



callds-malloc 




Original 


Patched 


.text:6D2C4A79 lea eax, [edi+OAh] 
.text:6D2C4A7C cmp eax, 2000000h 
.text:6D2C4A81 jnb short loc_6D2C4A8D 
.text:6D2C4A83 push eax ; sizej 
.text:6D2C4A84 call ds:malloc 


.text:6D244B07 mov edi, [esp+10h] 
.text:6D244B0B mov eax, 2000000h 
.text:6D244B10 cmp edi, eax 
.text:6D244B12 jnb short loc_6D244B2B 

.text:6D244B17 cmp ecx, eax 
.text:6D244B19 jnb short loc_6D244B25 
.text:6D244B1B push ecx ; size t 
.text:6D244B1C call ds:malloc 



Malwares: 4 th of July DDOS Attack 

On this 4 th of July a DDOS attack was fired 
against some of US government and corporate 
sites. 

• It had very limited impact against the targets 

For some reason they changed their targets to 
South Korean government and major news 
sites. 

• This time it made a huge success and the targets 
were almost unreachable during the attack period(3 
days). 

• During the time few variants of malware samples 
were collected. 



Malwares: 4 th of July DDOS Attack: 
Comparison of variants 




vs 



■BH 




Malwares: 4 th of July DDOS Attack 




•This is the 
routines that saves 
new attack targets. 
•From the binary 
this part was the 
only modification. 
•It can save a lot of 
time for the 
ma I ware 
analysists. 



Anti-Binary Diffing 

Symbol Mangling 

Reordering and replacing instructions 

CFG Altering 

• Call that never returns 

• Sharing Basic Blocks 

• Use multiple heads for a function 
CG Altering 

• Use proxy call 



Anti Binary Diffing Tool: Hondon 

Hondon= iE^ = ;E/i£ = Chaos 

• A state that can't be divided and defined. 

Don't do extensive code obfuscation that can 
affect performance 

• Just make the codes not disassemble-able 
easily. 

• Disassemblableness is not a mandatory 
feature for a legitimate binary. 

• Usually make IDA'S the function recognition 
fail 



Anti Binary Diffing Tool: Hondon 

Implements CFG altering 

• Minor CFG altering breaks IDA 
Tested under 5.0 and 5.5. 

• 5.0 is broken severely 

• 5.5 is much better, but is still very confused with 
function recognition 

Hondon works as IDA plugin 

• In real world it should be implemented as a part of 
compiler(like Visual C++ or gcc). 

• Use binary rewriting to generate obfuscated binary 



Hondon: Demo 



Check if how IDA can be confused. 



Conclusion 

The 1-day exploit threat is real 

• Someone finds vulnerabilities fixed silently 

• Bugs tend to aggregate and many times 
around where bugs were found 

• Some fixes are incomplete and someone can 
find those facts and can exploit the conditions 

"Hondon" attacks binary-differs weak points 

• Dependency on disassemblers for CFG and 
CG 



DarunGrim2 and Hondon 



http://www.darungrim.org 

•All the source code and latest binaries will be 
uploaded within 2 weeks 



Questions? 



